Ryan Kozak

27 exploits Active since Oct 2024
CVE-2024-9162 NOMISEC HIGH WORKING POC
All-in-One WP Migration & Backup <7.86 - Code Injection
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible.
7 stars
CVSS 7.2
CVE-2025-5058 NOMISEC CRITICAL WORKING POC
eMagicOne Store Manager <1.2.5 - RCE
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
1 stars
CVSS 9.8
CVE-2025-4602 NOMISEC MEDIUM WORKING POC
eMagicOne Store Manager for WooCommerce <1.2.5 - Info Disclosure
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Reads in all versions up to, and including, 1.2.5 via the get_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
1 stars
CVSS 5.9
CVE-2025-13595 NOMISEC CRITICAL WORKING POC
CIBELES AI <= 1.10.8 - Unauthenticated Arbitrary File Upload via actualizador_git.php
The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
1 stars
CVSS 9.8
CVE-2025-23968 NOMISEC CRITICAL WORKING POC
WPCenter AiBud WP <1.8.5 - Code Injection
Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through <= 1.9.
1 stars
CVSS 9.1
CVE-2025-12399 GITHUB HIGH python WORKING POC
Alex Reservations: Smart Restaurant Booking <2.2.3 - File Upload
The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 7.2
CVE-2025-6586 NOMISEC HIGH WORKING POC
WordPress Download Plugin <2.2.8 - RCE
The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwap_plugin_locInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 7.2
CVE-2025-9216 NOMISEC HIGH WORKING POC
StoreEngine < 1.5.0 - Authenticated Arbitrary File Upload via CSV Import Function
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 8.8
CVE-2025-9215 NOMISEC MEDIUM WORKING POC
StoreEngine <1.5.0 - Path Traversal
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS 6.5
CVE-2025-47550 NOMISEC MEDIUM WORKING POC
Themefic Instantio <= 3.3.16 - Unauthenticated Arbitrary File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio instantio allows Upload a Web Shell to a Web Server.This issue affects Instantio: from n/a through <= 3.3.16.
CVSS 6.6
CVE-2025-4603 NOMISEC CRITICAL WORKING POC
eMagicOne Store Manager - Path Traversal
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
CVSS 9.1
CVE-2025-47549 NOMISEC CRITICAL WORKING POC
Themefic Ultimate Before After Image ... - Unrestricted File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload a Web Shell to a Web Server.This issue affects BEAF: from n/a through <= 4.6.10.
CVSS 9.1
CVE-2025-5961 NOMISEC HIGH WORKING POC
WPvivid Backup & Migration < 0.9.116 - Authenticated Arbitrary File Upload via wpvivid_upload_import_files
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
CVSS 7.2
CVE-2025-6220 NOMISEC HIGH WORKING POC
Ultra Addons for Contact Form 7 <3.5.12 - File Upload
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 7.2
CVE-2025-12973 NOMISEC HIGH WORKING POC
S2B AI Assistant for WordPress - Arbitrary File Upload
The S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 7.2
CVE-2025-13380 NOMISEC MEDIUM WORKING POC
AI Engine for WordPress: ChatGPT - Arbitrary File Read
The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1. This is due to insufficient validation of user-supplied file paths in the 'lqdai_update_post' AJAX endpoint and the use of file_get_contents() with user-controlled URLs without protocol restrictions in the insert_image() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS 6.5
CVE-2025-13374 NOMISEC CRITICAL WORKING POC
Kalrav AI Agent <2.3.3 - File Upload
The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 9.8
CVE-2025-13597 NOMISEC CRITICAL WORKING POC
AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload via actualizador_git.php
The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
CVSS 9.8
CVE-2025-4336 NOMISEC HIGH WORKING POC
eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_file() Function
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
CVSS 8.1
CVE-2025-13390 NOMISEC CRITICAL WORKING POC
WP Directory Kit <= 1.4.4 - Unauthenticated Authentication Bypass via Weak Auto-Login Token
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.
CVSS 10.0
CVE-2024-13869 NOMISEC HIGH WORKING POC
WPvivid Backup & Migration < 0.9.112 - Authenticated Arbitrary File Upload via upload_files Function
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
CVSS 7.2
CVE-2026-7537 WRITEUP HIGH WORKING POC
MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
CVSS 7.2
CVE-2025-4602 WRITEUP MEDIUM WORKING POC
eMagicOne Store Manager for WooCommerce <1.2.5 - Info Disclosure
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Reads in all versions up to, and including, 1.2.5 via the get_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
CVSS 5.9
CVE-2025-4603 WRITEUP CRITICAL WORKING POC
eMagicOne Store Manager - Path Traversal
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
CVSS 9.1
CVE-2025-47550 WRITEUP MEDIUM WORKING POC
Themefic Instantio <= 3.3.16 - Unauthenticated Arbitrary File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio instantio allows Upload a Web Shell to a Web Server.This issue affects Instantio: from n/a through <= 3.3.16.
CVSS 6.6